Slides from an Embry-Riddle Aeronautical University webinar presented April 12, 2018 by Dr. Remzi Seker, Professor of Cybersecurity Engineering, ERAU Daytona Beach. Dr. Seker discusses cybersecurity issues and threats protecting aircraft and the aviation industry.
2. Today’s Agenda
• Welcome/Introduction —Bill Gibbs
• Presentation – Dr. Remzi Seker
• Questions and Answers
• Upcoming Webinars
• Certificate of Participation/eBadge
• Optional Survey
Bill Gibbs
Director Campus Outreach
& Webinar Coordinator
3. Dr. Remzi Seker
• Professor, Computer Science, College of
Engineering, ERAU Daytona Beach
• Program Coordinator, MS Cybersecurity
Engineering
• Director of the Cybersecurity and Assured
Systems Engineering (CyBASE) Center
• Researches security of critical systems and
computer forensics. Author of over 90
publications
• Frequently interviewed by media
• Ph.D. in Electrical Engineering and
Computer Science, University of Alabama at
Birmingham
4. +
Aviation Cybersecurity
--A Concise Introduction
Remzi Seker, Ph.D.
sekerr@erau.edu
Program Coordinator, MS CybE
Embry-Riddle Aeronautical University –Daytona
Beach
4
6. +
The Evolution
Systems evolve over time
Aviation systems are no exception
How do they evolve?
Computing
Communication
Control
Evolution in these result in new threats
6
8. +
The Evolution -2
Do new threats surface only because systems evolve?
No.
What else produces new threats?
The environment!
What does evolution have to do with safety or security?
Increased threats
Increased complexity
8
9. +
The Challenge
Time to ponder.
Safety-critical systems, e.g. DAL-A (catastrophic) are
expensive to develop
Development highly regulated
Changes are expensive
When the aviation industry develops a technology the average
expected life time of the product line is ~30 years
That’s nice; the question is
How are we going to maintain certification as airplanes
turn into flying computers that are networked?
9
10. +
Cybersecurity and IoW
As the air frames are increasingly controlled by computers and
the airframes are connected to the terrestrial systems such as
SWIM
We need to worry about cybersecurity issues
Many people have heard of the concept Internet of Things (IoT)
That doesn’t really apply to aviation systems (too generic)
What we have here is actually the Internet of Wings (IoW) in
the making
10
11. +
Some Technologies
Let’s grasp the big picture: Where are all the computers?
Airports: checking, luggage, ground operations, ...
Maintenance Workshops
National Air Space Operators’ (FAA, EUROCAE, …) systems:
SWIM, EMS/GEMS, …
Onboard aircraft: ADS-B, ACARS, EFB, …
11
12. +
SWIM and Aircraft Connectivity
We will now identify some threats associated with Aircraft
connectivity to SWIM
We will keep our scope limited to EFBs only
12
13. +
System Wide Information Management
(SWIM)
Shares National Airspace (NAS) data among the stakeholders
Service Providers
government agencies
organizations
commercial organizations
Faster integration of new NAS services
Message exchange mechanisms
Discovery of services,
Service performance monitoring
Secure execution environment
14. +
Aircraft Access to SWIM (AAtS)
Current System
Voice communication: read back clarity and
frequency interference.
Lack of real-time weather modeling, aeronautical,
and traffic information
Lack of real-time access to flight information and
weather information provided by aircraft sensors or
crew by the Air Traffic Management (ATM).
Inefficient decision making by the flight crew due to
the lack of comprehensive real-time National
Airspace (NAS) data.
AAtS Provides
NAS services to the crew via SWIM infrastructure
Ground-to-air information exchange between
aircraft and NAS services
Weather
Data
Flight Data
DMS
NESG AOC/FOC
Aeronautical
Data
Air Traffic
Management
System
Data Sources
SWIM
Control
Command & Control
Situational Data
Command & Control
15. +
AAtS Components
Aircraft:
Majorly a consumer of National Airspace (NAS) data
Electronic Flight Bag (EFB) available to the pilot and the crew
NAS service provider by supplying sensor data as well as
visually conceived weather information
Aircraft received data include:
air traffic management (ATM) data,
weather data,
notices to airmen (NOTAMs),
special activity airspace (SAA),
16. +
AAtS Components -2
Data Management Service (DMS):
Responsible for managing the data flow between the NAS
Enterprise Security Gateway (NESG) to the aircraft.
Manages the access and services among the shared data
providers and the data consumer (aircraft).
Network establishment
Connection to NESG and to the aircraft
Service registration, publication, and subscription
Protocol translation between the NESG and aircraft client
Data filtering, data validation, data provision
Data Link Service (DLS):
Responsible for the network connection between the DMS and
the aircraft
Providing the network services as well as routing the data via the
appropriate protocol and path
18. +
Threat Identification
TH1: Improper traffic from
the EFB blocking bandwidth
-> Denial of Service (DoS).
Wired or Wireless Connection (Encrypted)
EFB
(Flight Deck)
WiFi Access Point / Router
Streaming Media
Cabin Traffic
Wireless Connection
(plaintext)
Aircraft
Flight
Deck
DMS
Server
The
Internet
Cabin Traffic
(plaintext)
Flight Deck
Traffic
Encrypted connection
Encrypted connection
Data Link
Service (DLS)
DLSP Proxy
DMS Proxy
Encrypted connection
Flight Deck
Traffic
Encrypted connection
DMS
Firewall + IPS Certificate Authority
19. +
Threat Identification
TH2: Cabin user gaining
unauthorized access to DLS
and conducting DoS through
extreme consumption of the
bandwidth.
Wired or Wireless
Connection (Encrypted)
EFB
(Flight Deck)
WiFi Access Point / Router
Cabin Traffic
Wireless Connection
(plaintext)
Aircraft
Flight
Deck
DMS
Server
The
Internet
Cabin Traffic
(plaintext)
Flight Deck
Traffic
Encrypted connection
Encrypted connection
Data Link
Service (DLS)
DLSP Proxy
DMS Proxy
Encrypted connection
Flight Deck
Traffic
Encrypted connection
DMS
Firewall + IPS
Device A(in EFB
Subnet)
Cabin user get the EFB WIFI
key
Malicious outbound
DoS Packets
Certificate Authority
20. +
Threat Identification
TH3: Cabin user gaining
unauthorized access to Wireless
Access Point/Router to change
configuration settings.
Wired or Wireless Connection (Encrypted)
EFB
(Flight Deck)
WiFi Access Point / Router
Cabin Traffic
Wireless Connection
(plaintext)
Aircraft
Flight
Deck
DMS
Server
The
Internet
Cabin Traffic
(plaintext)
Flight Deck
Traffic
Encrypted connection
Encrypted connection
Data Link
Service (DLS)
DLSP Proxy
DMS Proxy
Encrypted connection
Flight Deck
Traffic
Encrypted connection
DMS
Firewall + IPS
Device AGain unauthorized access because
of weak password of router
Certificate Authority
21. +
Threat Identification
TH4: Authenticated cabin user
consuming the DLS bandwidth
and conducting DoS.
Wired or Wireless Connection (Encrypted)
EFB
(Flight Deck)
WiFi Access Point / Router
Cabin Traffic
Wireless Connection
(plaintext)
Aircraft
Flight
Deck
DMS
Server
The
Internet
Cabin Traffic
(plaintext)
Flight Deck
Traffic
Encrypted connection
Encrypted connection
Data Link
Service (DLS)
DLSP Proxy
DMS Proxy
Encrypted connection
Flight Deck
Traffic
Encrypted connection
DMS
Firewall + IPS
Cabin User
Streaming media
over encrypted VPN
Certificate Authority
22. +
Threat Identification
TH5: Authenticated user
conducting reconnaissance on
the DLSPs network for
mapping the network along
with fingerprinting servers.
Wired or Wireless Connection (Encrypted)
EFB
(Flight Deck)
WiFi Access Point / Router Aircraft
Flight
Deck
DMS
Server
The
Internet
Cabin Traffic
(plaintext)
Flight Deck
Traffic
Encrypted connection
Encrypted connection
Data Link
Service (DLS)
DLSP Proxy
DMS Proxy
Encrypted connection
Flight Deck
Traffic
Encrypted connection
DMS
Firewall + IPS
Cabin User
Generate the
Network Map
Certificate Authority
Run Nmap
in Network
23. +
Threat Identification
TH6: External DoS attacks
on the DLSP servers by
using a discovered IP
address/hostnames of
servers on the DLSP’s
network.
Wired or Wireless
Connection (Encrypted)
EFB
(Flight Deck)
WiFi Access Point / Router
Cabin Traffic
Wireless Connection
(plaintext)
Aircraft
Flight Deck
DMS
Server
The
Internet
Cabin Traffic
(plaintext)
Flight Deck
Traffic
Encrypted connection
Encrypted connection
Data Link
Service (DLS)
DLSP Proxy
DMS Proxy
Encrypted connection
Flight Deck
Traffic
Encrypted connection
DMS
Firewall + IPS
Bandwidth flood and
packet flood by EFB
user
Bandwidth flood
and packet flood
by external user
Certificate Authority
Attacker carry out external DDoS attack on
DLSP Proxy server through packet flood
Cabin user carry out external DDoS attack on
DLSP Proxy server through packet flood
24. +
Threat Identification
TH7: Conducting DoS against
the Wireless Access
Point/Router onboard the
aircraft.
Wired or Wireless Connection (Encrypted)
EFB
(Flight Deck)
WiFi Access Point / Router
Cabin Traffic
Wireless Connection
(plaintext)
Aircraft
Flight
Deck
DMS
Server
The
Internet
Cabin Traffic
(plaintext)
Flight Deck
Traffic
Encrypted connection
Encrypted connection
Data Link
Service (DLS)
DLSP Proxy
DMS Proxy
Encrypted connection
Flight Deck
Traffic
Encrypted connection
DMS
Firewall + IPS
Device
A(Different
Subnet)
3Watt handheld WiFi
Signal Jammer
Certificate Authority
25. +
Threat Identification
TH8: MITM attacks on the
EFB-DMS path.
Wired or Wireless Connection (Encrypted)
EFB
(Flight Deck)
Victim
WiFi Access Point / Router
Cabin Traffic
Wireless Connection
(plaintext)
Aircraft
Flight
Deck
DMS
Server
The
Internet
Cabin Traffic
(plaintext)
Flight Deck
Traffic
Encrypted connection
Encrypted connection
Data Link
Service (DLS)
DLSP Proxy
DMS Proxy
Encrypted connection
Flight Deck
Traffic
Encrypted connection
DMS
Firewall + IPS
MITM
Connection
TH8-Test1 MITM Attack on the EFB-DMS Path
Certificate Authority
26. +
Threat Identification
TH9: DoS/DDoS attacks
against the DMS. Wired or Wireless
Connection (Encrypted)
EFB
(Flight Deck)
WiFi Access Point / Router
Cabin Traffic
Wireless Connection
(plaintext)
Aircraft
Flight
Deck
DMS
Server
The
Internet
Cabin Traffic
(plaintext)
Flight Deck
Traffic
Encrypted connection
Encrypted connection
Data Link
Service (DLS)
DLSP Proxy
DMS Proxy
Encrypted connection
Flight Deck
Traffic
Encrypted connection
DMS
Firewall + IPS
User makes an excessive
login attempts
DoS and DDoS attack
Certificate Authority
External DoS and DDoS
attack
CabinUsermakeexcessiveattemptsofloginand
createDosandDDoSattack
ExternalUsermakesan
excessiveloginattempts
27. +
AAtS Wrap up
We went over some of the threats for EFB connectivity
The next step would be to conduct risk analysis discuss how
the threats can be alleviated
We didn’t even cover the EMS/GEMS type of subsystems or
technologies like AeroMACS
For the sake of diverse coverage, let’s move on to ADS-B…
27
28. +
ADS-B
ADS-B is the technology that has been heralded by the Federal
Aviation Administration (FAA) and other civil aviation authorities
as central to modernizing the state of airspace management
across the globe
Chosen under the NextGen Air Transportation System and Single
European Sky programs to improve the accuracy of radar-based
traffic information used by air traffic controllers
28
29. +
Standardization & Adoption
ADS-B standard has been jointly developed by RTCA and
EUROCAE.
Within the US, ADS-B implementation is guided by:
DO-242A: Minimum Aviation System Performance Standards for
Automatic Dependent Surveillance – Broadcast (ADS-B)
DO-260B: Minimum Operational Performance Standards for 1090
MHz Extended Squitter ADS-B and TIS-B
DO-282B: Minimum Operational Performance Standards for
Universal Access Transceiver (UAT) ADS-B
Already fully deployed in Australia, Europe, and parts of
Canada.
Required equipment within the US in certain airspaces by 2020 [3].
29
30. +
ADS-B Intro
ADS-B intends to improve on its Secondary Surveillance Radar
(SSR) predecessors in distinct ways
1. It is automatic, in the sense that no controller or pilot action is
required to transmit aircraft information to nearby receivers.
2. It is dependent surveillance, in that the accuracy of transmitted
information is dependent on the existence of adequate
navigational information onboard the aircraft (e.g. GPS).
3. It is a one-way broadcast in nature, in the sense that aircraft
information is transmitted without a priori knowledge of who will
actually receive it.
30
31. +
ADS-B Intro
ADS-B has been approved for operation on two separate data
links: 978MHz and 1090MHz.
The former is referred to as Universal Access Transceiver (UAT), and is
intended predominantly for use by general aviation operators.
The latter, on the other hand, is generally referred to as Extended
Squitter Mode S (1090ES), and is intended predominantly for use by
commercial aviation operators.
ADS-B services can then be further categorized into ADS-B In and
ADS-B Out.
ADS-B Out consists of all functionality pertaining to the automatic
broadcast of aircraft parameters by participants
ADS-B In consists of all functionality pertaining to the receipt,
processing, and presentation of this information to pilots and controllers
31
32. +
ADS-B Intro
While ADS-B data links exist on separate frequencies, probably
the most significant difference between them is the length of
messages available to broadcast the same types of information
to nearby aircraft.
For the 1090ES data link, messages are only 14 bytes long,
UAT messages can be anywhere from 18-34 bytes long depending
on the payload type.
As stated by DO-260B, the “maximum ADS-B message
transmission rate [for an aircraft] shall not exceed 6.2
transmitted messages per second”
32
33. +
ADS-B Fundamentals
Approved for use on two data links: UAT (978 MHz) & 1090ES (1090
MHz)
Let’s focus on the latter, due to resource limitations, constraints, and
limited focus within research domain.
Since the 1090MHz frequency is shared with all other legacy SSR
systems, an ADS-B message begins with the declaration of the ADS-B
downlink format number (17).
Then comes a description of the Mode S transponder (CA), followed
by
The transponder’s 24-bit ICAO address (AA), message parameters
(ME), and parity check bits (PI)Bit # 1 – 5 6 – 8 9 – 32 33 – 88 89 – 112
Field
Name [n]
DF = 17
[5]
CA [3]
AA ICAO
Code [24]
ME [56] PI [24]
33
34. +
ADS-B Fundamentals
A variety of ground-to-air services include:
Automatic Dependent Surveillance – Rebroadcast (ADS-R):
Rebroadcast system to connect UAT and 1090ES.
Flight Information Service – Broadcast (FIS-B) (UAT only): Weather
flight information system.
Traffic Information Service – Broadcast (TIS-B): “ADS-R” that tracks
non- ADS-B Mode S flights (SSR).
Bit # 1 – 5 6 – 8 9 – 32 33 – 88 89 – 112
Field
Name [n]
DF = 17
[5]
CA [3]
AA ICAO
Code [24]
ME [56] PI [24]
34
35. +
Problem
There are growing privacy and security concerns within the
aviation sector with respect to ADS-B:
“General aviation operators are concerned about potential privacy and
security implications resulting from equipping their aircraft with ADS-B.
… The core concern of the operator community is real-time tracking of
the geographic location of a specific aircraft”.
The FAA response was the following:
“[We have] determined that equipping aircraft with ADS-B does not
materially change the ability to track aircraft, because aircraft that
currently operate with a Mode S transponder already transmit their
ICAO [International Civil Aviation Organization] 24-bit code”.
35
36. +
Anonymity
UAT data link has provisions for a self-assigned aircraft code
that is based on the location at which this feature was enabled.
Only available for aircraft that don’t want ATC services, since the
true registration identity cannot be determined.
No guarantee of aircraft code uniqueness.
Aircraft tend to operate on predictable routes or based out of
particular airports… too easy to narrow the range of codes for an
observer.
What to do if this won’t work for 1090ES, and if just about all
information about an aircraft is available online?
36
37. +
Attacks
These types of attacks are possible
Disruption of GPS readings
Wireless jamming of surveillance-related communications
Manipulation of ADS-B transmissions
Message Injection (target ghost injection, flooding)
Message Deletion (aircraft obfuscation)
Message Modification (trajectory modification, aircraft
impersonation)
37
38. +
Proposed Measures
Private Aircraft Registry
Anonymity Mode for 1090ES
Hash-based message authentication code (HMAC) of 128 bits
be determined and split across these messages within the PI
field
Others… That end up changing the ADS-B specification…
38
39. +
Some Cybersecurity Standards for
Aircrafts
Standard development for cybersecurity in aviation industry has
been going on for a few years.
There is still much work; two most prominent standards are
DO-356 Airworthiness Security Methods and Considerations
DO-355 Information Security Guidance for Continuing Airworthiness
39
40. +
A Few Words on UAS
Technology rapidly evolving and becoming ubiquitous
Definitely part of IoW eco system
Many use case scenarios
Some legitimate uses
Payload sharing
UAS as a Service
Some unpleasant scenarios
Terrorism
Warfighting
ADS-B spoofing
….
40